Allow certain characters to be immune for ESAPI encoder?











up vote
0
down vote

favorite












I am trying to incorporate the ESAPI encoder with my JavaEE application and want it to not encode a certain set of characters, for example '<', '!', '(', ')'.



I read on the documentation https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/Encoder.html that "all characters should be encoded, except for a specific list of "immune" characters".



I would like to know where and how I can configure this specific list of "immune" characters. Would it be in the ESAPI.properties file?






java java-ee owasp esapi







share|improve this question






















  • Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
    – avgvstvs
    Nov 24 at 1:22















up vote
0
down vote

favorite












I am trying to incorporate the ESAPI encoder with my JavaEE application and want it to not encode a certain set of characters, for example '<', '!', '(', ')'.



I read on the documentation https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/Encoder.html that "all characters should be encoded, except for a specific list of "immune" characters".



I would like to know where and how I can configure this specific list of "immune" characters. Would it be in the ESAPI.properties file?






java java-ee owasp esapi







share|improve this question






















  • Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
    – avgvstvs
    Nov 24 at 1:22













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I am trying to incorporate the ESAPI encoder with my JavaEE application and want it to not encode a certain set of characters, for example '<', '!', '(', ')'.



I read on the documentation https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/Encoder.html that "all characters should be encoded, except for a specific list of "immune" characters".



I would like to know where and how I can configure this specific list of "immune" characters. Would it be in the ESAPI.properties file?






java java-ee owasp esapi







share|improve this question













I am trying to incorporate the ESAPI encoder with my JavaEE application and want it to not encode a certain set of characters, for example '<', '!', '(', ')'.



I read on the documentation https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/Encoder.html that "all characters should be encoded, except for a specific list of "immune" characters".



I would like to know where and how I can configure this specific list of "immune" characters. Would it be in the ESAPI.properties file?






java java-ee owasp esapi




java java-ee owasp esapi






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 22 at 16:58









Mingxuan He

62




62












  • Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
    – avgvstvs
    Nov 24 at 1:22


















  • Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
    – avgvstvs
    Nov 24 at 1:22
















Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
– avgvstvs
Nov 24 at 1:22




Totally agree with Kevin’s response below. Several of the characters you say you want to be immune are known characters that are used in many programming languages, and making those chars in particular immune, invites code injection to your application. What are you really trying to do that you think immunity is the answer? There’s a code smell here, and it stinks.
– avgvstvs
Nov 24 at 1:22












1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted










The simple answer is, you can't. Or at least not easily. You could do this by changing the line in ESAPI.properties from:



ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder



to something like



ESAPI.Encoder=com.MyCompany.myApp.MyEncoder



and then in MyEncoder.java, replacing one or more of ESAPI's initializations of its various IMMUNE_* variables with your own. Butt that's the only way to do it. There is no method or property to redefine this, because in the general case, you should never want to do so. (There was a [poor, IMO] design decision to make all of ESAPI's reference implementations a singleton, so providing such a method to DefaultEncoder class would me you would be changing it for all instances of a class and that just seems too dangerous.)



So rather than answering your question like I did, I should be asking you why do you wish to do this? The IMMUNE_CSS codec recently had '#' added to in (currently only in the 'develop' branch on GitHub), but even that was not done without extensive discussion amongst current and former OWASP project leaders. The immune lists are judiciously choose to be "safe" in all know cases. Then are not intended to be applied for only some edge cases known to be safe. That is why I am asking "Why do you want to do this? What specifically are you trying to achieve?" as there may be a better approach to what you are trying to do.






share|improve this answer





















  • Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
    – Mingxuan He
    Nov 25 at 3:19











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53435475%2fallow-certain-characters-to-be-immune-for-esapi-encoder%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote



accepted










The simple answer is, you can't. Or at least not easily. You could do this by changing the line in ESAPI.properties from:



ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder



to something like



ESAPI.Encoder=com.MyCompany.myApp.MyEncoder



and then in MyEncoder.java, replacing one or more of ESAPI's initializations of its various IMMUNE_* variables with your own. Butt that's the only way to do it. There is no method or property to redefine this, because in the general case, you should never want to do so. (There was a [poor, IMO] design decision to make all of ESAPI's reference implementations a singleton, so providing such a method to DefaultEncoder class would me you would be changing it for all instances of a class and that just seems too dangerous.)



So rather than answering your question like I did, I should be asking you why do you wish to do this? The IMMUNE_CSS codec recently had '#' added to in (currently only in the 'develop' branch on GitHub), but even that was not done without extensive discussion amongst current and former OWASP project leaders. The immune lists are judiciously choose to be "safe" in all know cases. Then are not intended to be applied for only some edge cases known to be safe. That is why I am asking "Why do you want to do this? What specifically are you trying to achieve?" as there may be a better approach to what you are trying to do.






share|improve this answer





















  • Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
    – Mingxuan He
    Nov 25 at 3:19















up vote
1
down vote



accepted










The simple answer is, you can't. Or at least not easily. You could do this by changing the line in ESAPI.properties from:



ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder



to something like



ESAPI.Encoder=com.MyCompany.myApp.MyEncoder



and then in MyEncoder.java, replacing one or more of ESAPI's initializations of its various IMMUNE_* variables with your own. Butt that's the only way to do it. There is no method or property to redefine this, because in the general case, you should never want to do so. (There was a [poor, IMO] design decision to make all of ESAPI's reference implementations a singleton, so providing such a method to DefaultEncoder class would me you would be changing it for all instances of a class and that just seems too dangerous.)



So rather than answering your question like I did, I should be asking you why do you wish to do this? The IMMUNE_CSS codec recently had '#' added to in (currently only in the 'develop' branch on GitHub), but even that was not done without extensive discussion amongst current and former OWASP project leaders. The immune lists are judiciously choose to be "safe" in all know cases. Then are not intended to be applied for only some edge cases known to be safe. That is why I am asking "Why do you want to do this? What specifically are you trying to achieve?" as there may be a better approach to what you are trying to do.






share|improve this answer





















  • Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
    – Mingxuan He
    Nov 25 at 3:19













up vote
1
down vote



accepted







up vote
1
down vote



accepted






The simple answer is, you can't. Or at least not easily. You could do this by changing the line in ESAPI.properties from:



ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder



to something like



ESAPI.Encoder=com.MyCompany.myApp.MyEncoder



and then in MyEncoder.java, replacing one or more of ESAPI's initializations of its various IMMUNE_* variables with your own. Butt that's the only way to do it. There is no method or property to redefine this, because in the general case, you should never want to do so. (There was a [poor, IMO] design decision to make all of ESAPI's reference implementations a singleton, so providing such a method to DefaultEncoder class would me you would be changing it for all instances of a class and that just seems too dangerous.)



So rather than answering your question like I did, I should be asking you why do you wish to do this? The IMMUNE_CSS codec recently had '#' added to in (currently only in the 'develop' branch on GitHub), but even that was not done without extensive discussion amongst current and former OWASP project leaders. The immune lists are judiciously choose to be "safe" in all know cases. Then are not intended to be applied for only some edge cases known to be safe. That is why I am asking "Why do you want to do this? What specifically are you trying to achieve?" as there may be a better approach to what you are trying to do.






share|improve this answer












The simple answer is, you can't. Or at least not easily. You could do this by changing the line in ESAPI.properties from:



ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder



to something like



ESAPI.Encoder=com.MyCompany.myApp.MyEncoder



and then in MyEncoder.java, replacing one or more of ESAPI's initializations of its various IMMUNE_* variables with your own. Butt that's the only way to do it. There is no method or property to redefine this, because in the general case, you should never want to do so. (There was a [poor, IMO] design decision to make all of ESAPI's reference implementations a singleton, so providing such a method to DefaultEncoder class would me you would be changing it for all instances of a class and that just seems too dangerous.)



So rather than answering your question like I did, I should be asking you why do you wish to do this? The IMMUNE_CSS codec recently had '#' added to in (currently only in the 'develop' branch on GitHub), but even that was not done without extensive discussion amongst current and former OWASP project leaders. The immune lists are judiciously choose to be "safe" in all know cases. Then are not intended to be applied for only some edge cases known to be safe. That is why I am asking "Why do you want to do this? What specifically are you trying to achieve?" as there may be a better approach to what you are trying to do.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 23 at 22:12









Kevin W. Wall

52625




52625












  • Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
    – Mingxuan He
    Nov 25 at 3:19


















  • Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
    – Mingxuan He
    Nov 25 at 3:19
















Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
– Mingxuan He
Nov 25 at 3:19




Initially, we wanted to fix our log forge method. We found the ESAPI encoder and replaced our custom encoder to the ESAPI one. But once we changed this, we realized we had a lot of hard code that used these symbols when we were logging, which I thought it'd be fine to just ignore these symbols, which is why I asked this question. We realize now that this "solution" has a pretty bad smell and we plan to entirely refactor our method of logging instead.
– Mingxuan He
Nov 25 at 3:19


















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53435475%2fallow-certain-characters-to-be-immune-for-esapi-encoder%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

What visual should I use to simply compare current year value vs last year in Power BI desktop

Image
0 I have column SubToBind that shows current year ratio and column PY SubToBind which shows previous year ratio. How can I simply create a card that would be displaying them both in a nice way? Something like that: I cannot achieve that with regular card, I also tried Card with States by OKViz but also unable to see both values. In KPI visual - I dont like the word "Goal", it will confuse end users. Are there any cards or other visuals that would do the job? Thanks powerbi dax powerbi-embedded share | improve this question edited Jun 11 '18 at 20:11 Oleg
Read more

Alexandru Averescu

Image
Alexandre Averescu Alexandru Averescu Naissance 3 avril 1859 Babele, Ismail  (ro) près de Izmaïl (principauté de Moldavie) Décès 2 octobre 1938 (à 79 ans) [ 1 ] Bucarest Origine   Roumanie Arme cavalerie Grade Maréchal Années de service 1901-1917 Commandement chef d'état-major général 2 e  armée 3 e  armée Groupe d'armée sud armée du Danube Conflits Guerre russo-turque de 1877-1878 Deuxième guerre balkanique Première Guerre mondiale Faits d'armes Bataille de Turtucaia/Tutrakan Bataille de Mărăști Distinctions Autres fonctions 3 fois président du Conseil des ministres ministre des Affaires étrangères ministre sans portefeuille conseiller de la Couronne modifier   Alexandre Averescu (en roumain : Alexandru Averescu .mw-parser-output .prononciation>a{background:url("//upload.wikimedia.org/wikipedia/commons/thumb/8/8a/Loudspeaker.svg/11px-Loudspeaker.svg.png")center
Read more

Trompette piccolo

Image
Ne doit pas être confondu avec trompette de poche. Trompette piccolo en si bémol, avec des branches d'embouchure différentes pour le si bémol (la plus courte) ou la (la plus longue) Trompette piccolo La trompette piccolo est la plus petite de la famille des trompettes. Elle joue une octave plus haut que la trompette standard en si bémol. La plupart des trompettes piccolo sont conçues pour jouer dans les deux tonalités de si bémol ou la, en utilisant une branche d'embouchure différente pour chaque tonalité. Le tube de la trompette piccolo en si bémol a une longueur moitié de celle de la trompette normale en si bémol. Des trompettes piccolo en sol, fa, ut sont également fabriquées, mais elles sont rares. La trompette soprano en ré, aussi connu comme la « trompette Bach », a été inventée vers 1890 par le facteur belge Victor-Charles Mahillon pour jouer les parties hautes de la trompette dans la musique de Bach et Haendel. La trompette piccolo moderne permet aux
Read more